The IKat - Interactive Kiosk Attack Tool - excellent online resource. Head your Kiosk in its direction and use their online tools for escaping your sandbox!
http://ikat.ha.cked.net/
And tips retrieved from Paul Craig’s Defcon presentation “Hacking Internet Kiosk’s” available at:
http://defcon.org/images/defcon-16/dc16-presentations/defcon-16-craig.pdf
1- Accesing the filesystem through a Browser’s Url bar, or whatever control which may provide us with a way of browsing the filesystem. Different representations for a sample c:\windows string:
File:/C:/windows File:/C:\windows\ File:/C:\windows/ File:/C:/windows
File://C:/windows File://C:\windows/ file://C:\windows C:/windows
C:\windows\ C:\windows C:/windows/ C:/windows\
%WINDIR% %TMP% %TEMP% %SYSTEMDRIVE% %SYSTEMROOT% %APPDATA% %HOMEDRIVE% %HOMESHARE%
2- if We find a View Dialog, or Open File dialog, navigate the filesystem look for cmd.exe - try to execute it, drag and drop a file to cmd.exe to spawn it.
3- Internet Explorer’s ‘image toolbar’ which pops up when you click on a large image. File/Save, Print, Mailto, or even “Open My Pictures”
4- Keyboard shortcuts - besides the obvious, well.. some more obvious probably: CTRL-B, CTRL-I, CTRL-H, CTRL-L, CTRL-O, CTRL-P, CTRL-S
5- Hidden Kiosk menu! Try to guess the combo (CTRL-ALT-F8, F9?)
6- The about: protocol handler. about:<a href=c:\windows\”>Click-Here</a> may work
7- The Shell protocol handler: Shell:Profile,Shell:ProgramFiles,Shell:System,Shell:ControlPanelFolder,Shell:Windows
8- Shell with classid, i.e.: shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
additionally, by self experience, the kiosk may come with a full multimedia keyboard. Make use of every single multimedia button! It will probably make things easier/faster. Not to mention you should press the buttons 100 times in a row - you will be amazed at how many race conditions there are.
Peeeeace
Posted in Methodology, Tools on 05/03/2009 02:00 pm by Consultant
John Biggs over at Crunchgear.com has written an article on how to hide a USB drive inside a wall, disguising it as a standard phone jack.
This adds to a series of helpful links on physical security and secure practices!
http://www.crunchgear.com/2008/10/06/quick-tip-hide-your-usb-drives-away-deep-in-the-wall/
Enjoy
Posted in Hardware, Physical Security on 02/08/2009 02:55 pm by Consultant
While updating a Magento (http://www.magentocommerce.com/) deployment, the updater failed after having successfully downloaded each new file, leaving hundreds of files in the form of:
.tmpWhateverFile.php <– looks like the new version of the file
WhateverFile.php.bak <– looks like the renamed version of the file queued for deletion
The following python script should help, it renames the .tmp version of the files to the original filename, and removes the .bak files.
import re, os
tmpfiles = “^\.tmp.*”
bakfiles = “^.+\.bak$”
def listFiles(dir):
basedir = dir
subdirlist = []
for fname in os.listdir(dir):
if os.path.isfile(os.path.join(basedir, fname)):
# search for tmp files and rename to good files
allowed_name = re.compile(tmpfiles).match
if allowed_name(fname):
newname = fname[4:]
os.rename(os.path.join(basedir, fname), os.path.join(basedir, newname))
print fname, “renamed to: “, newname
allowed_name = re.compile(bakfiles).match
if allowed_name(fname):
print “removing file: “, fname
os.remove(os.path.join(basedir, fname))
else:
subdirlist.append(os.path.join(basedir, fname))
for subdir in subdirlist:
listFiles(subdir)
listFiles(”d:\\test-dir\\code”)
Enjoy,
-AV
Posted in Code, Tools on 12/03/2008 12:07 pm by Consultant
I have mentioned the tool in my previous post but the tool deserves an entire dedicated post! If you were looking for a tool to count source code lines, here’s a nice one.
Take a look at CLOC (http://cloc.sourceforge.net/), an excerpt from its website:
“cloc counts blank lines, comment lines, and physical lines of source code in many programming languages. It is written entirely in Perl with no dependencies outside the standard distribution of Perl v5.6 and higher (code from some external modules is embedded within cloc) and so is quite portable. cloc is known to run on many flavors of Linux, AIX, Solaris, IRIX, z/OS, and Windows. (To run the Perl source version of cloc on Windows one needs ActiveState Perl 5.6.1 or higher, or Cygwin installed. Alternatively one can use the Windows binary of cloc generated with perl2exe to run on Windows computers that have neither Perl nor Cygwin.)
cloc contains code from David Wheeler’s SLOCCount, Damian Conway and Abigail’s Perl module Regexp::Common, and Sean M. Burke’s Perl module Win32::Autoglob, … ”
Hope you find it useful
Posted in Code, Tools on 07/14/2008 02:28 pm by Consultant
Sebastian Muñiz also known as “topo” who worked hard on creating the first public IOS Rookit, which among several things is platform independent, has now created a blog named “Ret2Libc - REVERSE ENGINEERING AND RELATED”
He mentions a document disclosed by CISCO in response to his presentation on IOS rootkits (the one he also gave at EuSecWest 2008) which includes several security measures administrators can take to protect their routers.
Take a look at the blog right here: http://ret2libc.blogspot.com/
Later,
Posted in Blogs on 06/06/2008 09:20 am by Consultant
I was looking for resources on how to test personal firewall solutions which are so frequent these days. Here are some of the things I found which may come in handy to someone looking 4 the same thing.
History and Advances in Windows Shellcode (The part for: Uploading file with debug.exe and VBS)
http://www.phrack.org/issues.html?id=7&issue=62
Bypassing Windows Personal FW’s
http://www.phrack.org/issues.html?issue=62&id=13
Firewall leak tester (a collection of scripts for testing personal firewalls)
http://www.firewallleaktester.com/
Defeating Windows Personal Firewalls
http://www.thehackademy.net/madchat/windoz/win32inc/defeating_windows_personal_firewalls.pdf
Hope those help! I need to add those to the directory.
-AV
Posted in Methodology on 06/04/2008 10:09 am by Consultant
I went crazy yesterday looking for a tool that would easily let me remove every single e-mail from my Gmail account. I really find it hard to believe that even though I get the “E-mails deleted” message, they are not being kept somewhere for some agency’s convenience. Nonetheless, I wanted to take a measure of removing everything and quickly (I don’t have anything to hide really, it’s just for learning!.)
By quickly I mean that if you have thousands of e-mail conversations, the largest amount of e-mails/threads that you could list within Gmail are 100. Therefore an hour clicking select-all and delete would have been incredibly insane.
I started googling. I found a script in perl that some guy wrote which simply connected to Gmail’s IMAP service and looped through the threads removing everything with IMAP commands.
Then I found a series of threads about people trying to do the same thing, which is automating the e-mail deletion process, and a discussion on how certain Firefox GreaseMonkey (http://www.greasespot.net/) plugins could fake your button clicks, pretty much like a single sign on session.
I also found python libraries from 2005, nothing really convincing.
That is when I went back to the Gmail interface and selected all 100 threads on screen, and all of a sudden this amazing “Select all 4015 conversations in Inbox” link appeared! It had already been implemented by Gmail, stupid me trying to look somewhere else for the response!
Clicking on that link provided me with a way of selecting everything I had in my Inbox, then again on my Sent e-mails and by clicking on the Delete button I moved everything to the Trash. You then have to go to the Trash and delete everything forever.
Hope that saves you some time!
Posted in Methodology on 05/29/2008 07:25 am by Consultant
I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.
If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com
I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.
Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.
Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)
The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.
If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.
Check it out, it’s worth it!
Good luck.
Posted in Hardening, Tools on 05/29/2008 07:15 am by Consultant
This is meant for replacing your own watermarks, not for the purpose of stealing someone else’s content!
But using imagemagick (http://www.imagemagick.org) you can easily replace a portion of the image (*.jpg in this case) with the portion that goes on top, your new logo for instance (litte.gif in this case):
@echo off
for %%X in (*.jpg) do composite -geometry +0+178 little.gif “%%X” output/”%%X”
The -geometry option is for providing a specific horizontal and vertical position within the original image.
What does it have to do with penetration testing you may ask - well it could come useful during a client-side attack where you need to reuse several images quickly, or simply related in the fact that during a period of time where you run out of work, you can work as a designer? oh well.
Hope it helps, it sure helps me remember.
Posted in Tools on 05/25/2008 10:13 am by Consultant
|
Counting lines of source code
If you were ever involved in the process of scoping out a source code audit project, you have probably run into the situation where you have to figure out how to count the code. There are several things involved:
I’m going to go ahead and cover each of the points I mention above, based in my own experience. I therefore invite you to submit and share your comments based on your own xperiences as well.
I believe in providing [potential] customers with accurate information and I understand that some times that may not even be possible - but when it comes to counting lines of source code I rather use a tool that can parse the code than simply running a “wc -l” - However any functional bugs within the tool you use may end up impacting your estimate considerably and for that reason you need to test the tool first (or make sure it’s got some testing already.) The main benefit you would get from parsing the source code other than simply counting raw lines within a file is the ability of identifying source code comments (the way of specifying comments varies according to each language.)
Now, why would you be interested in identifying source code comments? Good question! And it is up to how you perform your scoping. The reasons I can think of are:
I have been in both sides of the court, considering comments within the estimate and excluding them. But either way, I have always looked at comments while reviewing code! You could argue that comments don’t get compiled/run, that there could be plenty of dead code laying around - but comments not only can be fun! they are a window into the programmer’s mind and what’s more valuable than that?! Yes, you can find dead code - but why is that code even there? From a version to the other dead becomes alive and boom! And flexibility is the key! If you do know of a directory just filled with dead code, why not look carefully or talk to your client and about excluding that piece from your estimation?
So it is up to whether you decide to include comments in your time estimate or not - but it shouldn’t be your choice to decide whether to review them or not.
So this all ends up being:
source_code_lines = lines_in_file - blank_lines - comment_lines | comment_lines = lines_in_file - source_code_lines - blank_lines | total = source_code_lines + comment_lines
I have recently found a very nice tool called CLOC (http://cloc.sourceforge.net/) - which deals with a wide set of programming languages. Test it out!
Later.